Last week, students from qLegal at Queen Mary University of London hosted our ‘Data Protection for Digital Health Startups’ Lunch&Learn at Health Foundry. qLegal provides free legal advice and resources to tech start-ups and entrepreneurs. This workshop was provided as part of eHealth Hub, a new EU-funded initiative that is cross-border and exclusively focused on digital health.
The session started by outlining the relevant legislation currently in place: The Data Protection Act 1988 (DPA). The DPA protects the processing of personal data, including sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, physical or mental health or condition, sexual life or commision or alleged commission by subject of any offence.
They then spoke about the new General Data Protection Regulation (GDPR) which will replace the existing Data Protection Act and will become enforceable from 25 May 2018. GDPR is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The team highlighted the importance that healthtech companies know the difference between a ‘data controller’ and a ‘data processor’ in order to recognise that not all organisations involved in the processing of personal data have the same degree of responsibility. “Data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed. “data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. It is the data controller that must exercise control over the processing and carry data protection responsibility for it.
Under the new regulation, data controllers will no longer need to register with the Information Commissioner's Office (ICO) as data controllers. However, under the Digital Economy Act it states that data controllers will need to pay the ICO a data protection fee. They aim to make the fees fair and reasonable for each company.
qLegal then went on to describe the main differences between DPA and GDPR that would be relevant for digital health startups:
Geography & Reach
In terms of reach the current DPA is enforced in the UK whereas the new GDPR will affect anyone in the EU (and any global company with data on EU citizens, when providing them with goods, services and or monitoring their behaviours).
Data protection officer (DPO)
The current law suggests that is not necessary to have a dedicated DPO while the GDPR calls for the mandatory appointment of a DPO for any organization that processes or stores large amounts of personal data, whether for employees, individuals outside the organization, or both.
Data Breaches & Data Erasure
The current DPA states there to be no formal obligation to report breaches compared to the GDPR where breach notification is mandatory as it could cause risk for rights and freedoms of individuals. The new law also states that individuals can request removal of data referring to them (Right to be Forgotten) whereas there is currently no requirement for data erasure under the DPA.
Under the DPA there isn't a requirement to consent to data. The GDPR states the need for clear consent from individuals to collect data, such as ‘opting in’ with explicit consent required for automatic decision making.
Privacy by Design
When addressing the issue of privacy by design, there is currently no legal requirement under the DPA compared to the GDPR which stipulates that the inclusion of data protection measures need to be designed into the development of the business.
Under the DPA the general rules are not well defined. However, under the GDPR, each new business must be able to demonstrate they comply with the regulations and it is their responsibility alone to ensure they do it.
Under the current DPA there is no strict obligation in terms of privacy notices whereas the right to be informed is strengthened by the GDPR and is typically executed through a privacy notice.
The fines associated with getting it wrong with the GDPR comes into effect are significant. Fines are incurred of up to £500,000 of 1% of annual turnover and the new law states penalties of up to 4% of annual global turnover or 20 million Euros (whichever is greater) for breaches.
The qLegal team then talked through some common mistakes that health startups may encounter when transitioning to the GDPR.
Ignoring the importance (right to do) and implications (getting in wrong) of data protection law.
Being unaware that they are processing personal data.
Being unaware of the different roles and responsibilities for handling data protection within the company.
The data controller thinking the data processor will be the only one held legally liable (and vice versa).
Transferring data to different jurisdiction without being aware of the risk.
In summary, the transition to the GDPR does create challenges for businesses but at the same time also creates opportunity. Companies who show they value an individual’s privacy, who are transparent about how the data is used, who design and implement new and improved ways of managing customer data will ultimately build deeper trust and retain more loyal customers, as well as avoiding hefty fines! The team urged the startups in the room to start preparing for the new changes in law, understand how it will impact their business and think about what they can do now to become compliant by May 2018.
Thanks again to qLegal for their presentation on Data Protection for Digital Health Startups. If you’re interested in finding out more about 'How to get your digital health innovation into the NHS' then do sign up to our next Lunch&Learn on the 18th January.